Tracking Mobile Spyware during the Telegram blocking in Iran(Part I)

29 January 2018

Executive summary

Full forensics report: [PDF]

During the first of week of January 2018, Qurium received numerous reports from Iran concerning a massive distribution of links promoting the download of fake VPN applications. The fake Android mobile applications were distributed by SMS links, taking advantage of the blocking of Telegram in Iran, to deceive users to install the applications.

The first fake application used the name فیلترشکن آمدنیوز (Amadnews Filtershekan) and was hosted in the Amazon Storage, and the second sample impersonated the software “psiphon6” and was initially hosted at Backstory.com cloud service and later on at serverclient12.tk.

Our detailed analysis of the collected samples shows the privacy intrusive capabilities of the fake Android applications and how the attacker(s) behind the fake psiphon6 software can access all personal information on infected devices.

The malware, remotely controlled via the Iranian mobile notification service “pushe.co”, has the ability to snoop the SMS involved in two-factor-authentication. Additionally, the attacker can also gain access to location information and contact details. Based on open source intelligence, we have managed to trace back the source code of the malware to a persona with the name “Amir Parsa Dehfoli”, who is working, or has been working with the Iranian startup company Ad Venture (ad-venture.ir).

During the last week we have shared our findings with the security community including the MAHER/National CERTCC of Iran and we expect to gain a full understanding of who are the actors behind the attacks and their ultimate motivations.

PART I: Tracking Mobile Spyware during the Telegram blocking in Iran – Full forensics report: [PDF] (30 January 2018)

PART II: Fake Mobile App in Iran-When spyware and click froud can put millions of unaware users at risk (5 February 2018)